CVE-2021-3447 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-3447
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2. • https://bugzilla.redhat.com/show_bug.cgi?id=1939349 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MS4VPUYVLGSAKOX26IT52BSMEZRZ3KS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUTGO4RS4ZXZSPBU2CHVPT75IAFVTTL3 https://access.redhat.com/security/cve/CVE-2 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20178 – ansible: user data leak in snmp_facts module
https://notcve.org/view.php?id=CVE-2021-20178
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en el módulo ansible donde las credenciales son reveladas en el registro de la consola por defecto y no están protegidas por la característica de seguridad cuando se usa el módulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales del módulo bitbucket_pipeline. • https://bugzilla.redhat.com/show_bug.cgi?id=1914774 https://github.com/ansible-collections/community.general/pull/1635%2C https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#security-fixes%2C https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUQ2QKAQA5OW2TY3ACZZMFIAJ2EQTG37 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIU7QZUV73U6ZQ6 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20191 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-20191
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=1916813 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://access.redhat.com/security/cve/CVE-2021-20191 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20180 – module: bitbucket_pipeline_variable exposes secured values
https://notcve.org/view.php?id=CVE-2021-20180
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en el módulo de ansible en el que las credenciales son divulgadas en el registro de la consola por defecto y no están protegidas por la función de seguridad cuando es usado el módulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales de bitbucket_pipeline. • https://bugzilla.redhat.com/show_bug.cgi?id=1915808 https://access.redhat.com/security/cve/CVE-2021-20180 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-2310
https://notcve.org/view.php?id=CVE-2020-2310
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta de comprobación de permisos en Jenkins Ansible Plugin versiones 1.0 y anteriores, permiten a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1943 •